Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Advanced IPv6 Residential Security draft-vyncke-advanced-ipv6-security-00.txt Mark Townsley Eric Vyncke November.

Published byAlban Carroll Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Advanced IPv6 Residential Security draft-vyncke-advanced-ipv6-security-00.txt Mark Townsley Eric Vyncke November."— Presentation transcript:

1 1 Advanced IPv6 Residential Security draft-vyncke-advanced-ipv6-security-00.txt Mark Townsley townsley@cisco.com Eric Vyncke evyncke@cisco.com November 2009

2 draft-vyncke-advanced-ipv6-security-00.txt> 2 V6OPS Simple-Security for Residential Networks 1. Embedded (Static) Policy Definition (e.g., from draft-v6ops- simple-security.…) 2. Ports are either opened implicitly via outbound flows, or explicitly via policy switches. Otherwise, all imbound traffic is dropped…. Most Incoming flows are “Guilty until proven innocent” Mimics the current low-end IPv4 home gateways/routers X 3. Troubleshooting: Typically, little to no feedback to user on what traffic is dropped and why 4. User/Application control: Policy knobs via UI or protocols (NAT-PMP, UPnP) to interact with FW settings

3 draft-vyncke-advanced-ipv6-security-00.txt> 3 “Large Enterprise” network with a large number of global IP addresses Typical Residential IPv6 Network Basic Idea  Observation: large global addressing in IPv6 allows any residential network to resemble an enterprise network with a large IPv4 global address block

4 draft-vyncke-advanced-ipv6-security-00.txt> 4 Security Features “Large Enterprise” network with a large number of global IP addresses Typical Residential IPv6 Network Basic Idea  V6ops is in the process of defining what residential IPv6 security should look like, so perhaps we should examine security features that are used in enterprise networks today and see how they might apply in a residential security setting

5 draft-vyncke-advanced-ipv6-security-00.txt> 5 Security Features “Large Enterprise” network with a large number of global IP addresses Typical Residential IPv6 Network Basic Idea  These techniques are not IPv6-specific per se, but we were discussing them within the context of IPv6 in v6ops.

6 draft-vyncke-advanced-ipv6-security-00.txt> 6 Overview  7 policies are identified in the -00. These are largely based on features which are commonly available in “advanced” security gear for enterprises today  Home edge router is not something that is purchased and thrown away when obsolete. Instead, it is actively updated like many other consumer devices are today (PCs, iPods and iPhones, etc.)  Business model may include a paid subscription service from the manufacturer, a participating service or content provider, consortium, etc.

7 draft-vyncke-advanced-ipv6-security-00.txt> 7 Advanced Security User Feedback IPS Dynamic Policy & Signatures Update On-line Access to IP Address Reputation

8 draft-vyncke-advanced-ipv6-security-00.txt> 8 Why is this important to IPv6?  Security policy can be adjusted to match the threat as attacks arrive  We don’t break end-to-end IPv6, unless we absolutely have to  While providing arguably better security, troublehooting, etc. than we would otherwise

9 draft-vyncke-advanced-ipv6-security-00.txt> 9 Default Security Policy 1. RejectBogon: including uRPF checks 2. BlockBadReputation: for in/outbound traffic 3. AllowReturn: and apply IPS on in/outbound traffic 4. AllowToPublicDnsHost Allow inbound traffic to inside host with a AAAA & reverse-DNS 5. ProtectLocalOnly: Block all inbound traffic to inside which never transmitted to the outside (à la full-cone) 6. CrypoIntercept: Intercept all inbound SSL/TLS connection, present (self-signed) cert, decrypt and re-encrypt Goal is to apply IPS 7. ParanoidOpeness: Allow ALL inbound traffic by default See more next slide

10 draft-vyncke-advanced-ipv6-security-00.txt> 10 More on Paranoid Openness  All other inbound flow is permitted  Rate limit (SYN & plain data) To protect low-bandwidth residential links Basic protection against host scan  If authenticated flow (e.g. HTTP) Perform dictionary attack on credential and reject too obvious ones (or default ones) Goal is to force user to select good credentials  IPS must be applied If protocol unknown, then flow MAY be permitted If attack is detected, then flow MUST be denied

11 draft-vyncke-advanced-ipv6-security-00.txt> 11 Conclusion  “simple-security” as is being defined now, is not the only possible residential gateway security model  “Advanced” security methods can provide adaptable and robust security that can better track threats as attacks appear on IPv6… ….giving us the chance for more open policies with respect to end-to-end connectivity

12 draft-vyncke-advanced-ipv6-security-00.txt> 12 Our Ask to V6OPS as of Tuesday Possible Next Steps…  Nothing, continue with simple-security as is  See what modern security methods we might be able to bring into simple-security, while keeping the “static” mode of operation it assumes now  Define an “advanced security” mode that includes dynamic tracking of threats as attacks arrive, and adjusts policies accordingly

13 draft-vyncke-advanced-ipv6-security-00.txt> 13 Consensus at V6OPS  Very nice proposal  Incorporation of some parts in simple-security I-D  Propose a BoF for Anaheim Potentially move to HOMEGATE WG ?  Several other people interested in working on this

Download ppt "1 Advanced IPv6 Residential Security draft-vyncke-advanced-ipv6-security-00.txt Mark Townsley Eric Vyncke November."

Similar presentations

Access Control List (ACL)

Access Control List (ACL)
Network Security Essentials Chapter 11

Network Security Essentials Chapter 11
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 9: Access Control Lists Routing & Switching.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 9: Access Control Lists Routing & Switching.
Enabling IPv6 in Corporate Intranet Networks

Enabling IPv6 in Corporate Intranet Networks
Chapter 9: Access Control Lists

Chapter 9: Access Control Lists
Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 9 – Firewalls and.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 9 – Firewalls and.
IUT– Network Security Course 1 Network Security Firewalls.

IUT– Network Security Course 1 Network Security Firewalls.
FIREWALLS Chapter 11.

FIREWALLS Chapter 11.
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.

FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
© 2007 Cisco Systems, Inc. All rights reserved.ICND2 v1.0—6-1 Access Control Lists Introducing ACL Operation.

© 2007 Cisco Systems, Inc. All rights reserved.ICND2 v1.0—6-1 Access Control Lists Introducing ACL Operation.
CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.

CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
NAT (Network Address Translator) Atif Karamat In the name of God the most merciful and the most compassionate.

NAT (Network Address Translator) Atif Karamat In the name of God the most merciful and the most compassionate.
Firewalls1 Firewalls Mert Özarar Bilkent University, Turkey

Firewalls1 Firewalls Mert Özarar Bilkent University, Turkey
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Lesson 19: Configuring Windows Firewall

Lesson 19: Configuring Windows Firewall
Department Of Computer Engineering

Department Of Computer Engineering
Chapter 8 PIX Firewall. Adaptive Security Algorithm (ASA)  Used by Cisco PIX Firewall  Keeps track of connections originating from the protected inside.

Chapter 8 PIX Firewall. Adaptive Security Algorithm (ASA)  Used by Cisco PIX Firewall  Keeps track of connections originating from the protected inside.
CECS 5460 – Assignment 3 Stacey VanderHeiden Güney.

CECS 5460 – Assignment 3 Stacey VanderHeiden Güney.

Similar presentations

Ads by Google